Fix #994: make registration-only bans behaviour better tested

misago/users/bans.py

@@ -66,7 +66,11 @@ def _set_user_ban_cache(user):
     ban_cache.bans_version = cachebuster.get_version(VERSION_KEY)
 
     try:
-        user_ban = Ban.objects.get_ban(username=user.username, email=user.email)
+        user_ban = Ban.objects.get_ban(
+            username=user.username,
+            email=user.email,
+            registration_only=False,
+        )
 
         ban_cache.ban = user_ban
         ban_cache.expires_on = user_ban.expires_on

misago/users/models/ban.py

@@ -43,10 +43,9 @@ class BansManager(models.Manager):
         if ip:
             checks.append(self.model.IP)
 
-        queryset = self.filter(
-            is_checked=True,
-            registration_only=registration_only,
-        )
+        queryset = self.filter(is_checked=True)
+        if not registration_only:
+            queryset = self.filter(registration_only=False)
 
         if len(checks) == 1:
             queryset = queryset.filter(check_type=checks[0])

misago/users/tests/test_auth_api.py

@@ -171,6 +171,32 @@ class GatewayTests(TestCase):
         self.assertEqual(user_json['id'], user.id)
         self.assertEqual(user_json['username'], user.username)
 
+    def test_login_ban_registration_only(self):
+        """login api ignores registration-only bans"""
+        user = UserModel.objects.create_user('Bob', 'bob@test.com', 'Pass.123')
+
+        Ban.objects.create(
+            check_type=Ban.USERNAME,
+            banned_value='bob',
+            registration_only=True,
+        )
+
+        response = self.client.post(
+            '/api/auth/',
+            data={
+                'username': 'Bob',
+                'password': 'Pass.123',
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
+        response = self.client.get('/api/auth/')
+        self.assertEqual(response.status_code, 200)
+
+        user_json = response.json()
+        self.assertEqual(user_json['id'], user.id)
+        self.assertEqual(user_json['username'], user.username)
+
     def test_login_inactive_admin(self):
         """login api fails to sign admin-activated user in"""
         UserModel.objects.create_user('Bob', 'bob@test.com', 'Pass.123', requires_activation=1)

misago/users/tests/test_user_middleware.py

@@ -1,6 +1,7 @@
 from django.urls import reverse
 
 from misago.users.bans import ban_ip, ban_user
+from misago.users.models import Ban
 from misago.users.testutils import AuthenticatedUserTestCase
 
 
@@ -36,6 +37,21 @@ class UserMiddlewareTest(AuthenticatedUserTestCase):
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response.json()['id'], self.user.pk)
 
+    def test_registration_only_ban(self):
+        """middleware ignores registration only bans"""
+        Ban.objects.create(
+            check_type=Ban.USERNAME,
+            banned_value='{}*'.format(self.user.username[:3]),
+            registration_only=True,
+        )
+        
+        response = self.client.get(self.test_link)
+        self.assertEqual(response.status_code, 200)
+
+        response = self.client.get(self.api_link)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()['id'], self.user.pk)
+
     def test_ip_banned_user(self):
         """middleware handles user that has been banned in meantime"""
         ban_ip('127.0.0.1')

misago/users/validators.py

@@ -32,7 +32,7 @@ def validate_email_available(value, exclude=None):
 
 
 def validate_email_banned(value):
-    ban = get_email_ban(value)
+    ban = get_email_ban(value, registration_only=True)
 
     if ban:
         if ban.user_message:
@@ -59,7 +59,7 @@ def validate_username_available(value, exclude=None):
 
 
 def validate_username_banned(value):
-    ban = get_username_ban(value)
+    ban = get_username_ban(value, registration_only=True)
 
     if ban:
         if ban.user_message: